Bytware’s StandGuard Anti-Virus Now Detects Patched OS/400 Programs

To combat the security risk posed by allowing patched programs to run on OS/400 servers, IBM and Bytware have collaborated to include the capability to detect patched programs through a new release of Bytware’s StandGuard Anti-Virus software. While most patched programs are not dangerous, they can be written to wreak havoc, and the fact that OS/400 shops unknowingly run patched programs provided by ISVs presents a serious breach of good security practices, IBM’s OS/400 security architect says.

When Bytware announced StandGuard Anti-Virus, in June of 2003, it was a public admission by IBM that the iSeries has a serious problem with viruses. The problem is the iSeries’ Windows-like IFS file system, which, when connected to unprotected, Internet-connected PC clients, can become a festering cesspool of viruses, worms, Trojan horses, and assorted malware, constantly replicating themselves between the IFS and PC clients, and continually causing reinfection. Bytware’s product, an OS/400 implementation of the McAfee virus scanner and definitions, detects and kills Windows viruses in the IFS.

With this announcement, StandGuardAV gains the capability to detect OS/400 viruses, too (or, at least, the thing on OS/400 most closely resembling a virus, which, according to Pat Botz, IBM’s OS/400 security architect, is a patched program).

THE DANGER OF PATCHED PROGRAMS

A patched program is one that was created by the system’s “trusted translator” and then altered in a way that violates the definition of the machine interface and bypasses system security. Software developers often write patched programs because it is the only way they can provide a function for which IBM has not yet provided a command, an API, or another access point, particularly for older releases of OS/400. To get the functionality, developers will sometimes make changes to OS/400 or other programs provided by IBM that run in the system state.

Obviously IBM doesn’t want software vendors writing patched programs, but it can have its advantages. In addition to gaining functionality that developers might not be able to get any other way, making changes at the machine interface layer, as opposed to writing in a high-level language, like RPG or C, can result in faster execution. The Fast400 governor-buster is one example of a patched program, according to IBM. Developers of OS/400 utilities are the prime users of patched programs, says Mike Grant, president of Bytware, whose PeekPlus product is another example of a patched program.

But running patched programs presents risks. The potential negative effects of running patched programs range from being merely a nuisance to posing a real security problem. “Patched programs are potential dangers. They can do something useful or something bad,” Botz says. “At best, a patched program causes instability. At worst, it’s a major security exposure.”

On the stability side, Botz and others at IBM have spent hours with customers whose systems have crashed, meticulously tracing the cause and sometimes finding patched programs distributed by their ISV as the root of the problem. “Patched programs use all sorts of internal interfaces that are not documented and can change at any time,” Botz says. “That typically causes problems.”

On the other hand, patched programs can represent serious security risks. “The same technique could be used to patch the same program in a different way, or to patch a different program in a different way. It could be used to steal information, to delete information, or crash the system,” Botz says. “If you have a disgruntled employee with access to service tools, and they have knowledge of the system, they can patch the program on your system, and it could be difficult to determine how the program got on the system.”

What’s more, there is the possibility–albeit a very slim possibility–that patched programs could behave like a virus on OS/400. For an OS/400 virus to be distributed widely, however, an organization would have to be running without the prescribed security precautions in place, and, more important, it would require the system administrator to be fooled into installing a program, Botz says. “But if you’re worried about that on your PC server, think of the value you have on your OS/400 server. Even though the probability is less, the cost is much higher,” he says. “The big expensive money-stealing types of attacks almost always involve attacking the human process of a security policy.”

Has anybody actually used these techniques to hack OS/400? Maybe. “We’ve seen some suspicious activity,” Grant says. “Big Fortune 100 sites have called and asked us about this program created years ago by a consultant–what it does, why it’s there. It’s pretty suspicious, so they got rid of it.”

But since ISVs are using this potential avenue of attack every day to boost the functionality of their applications, it doesn’t really matter, from a security point of view, whether hackers are actively targeting OS/400 through patched programs. “That proves the point that it can be done,” Botz says. “They are patching things in such a way that it bypasses system integrity.”

WHAT TO DO ABOUT PATCHED PROGRAMS

Since V3R6, OS/400 has included a command called Check Object Integrity that can detect patched programs. With OS/400 V5R1, in 2001, security was further bolstered with new digital signatures capability. If a patched program was masquerading as part of the system, its digital signature would have been modified, thus giving it away as a patched program. With OS/400 V5R3, this functionality has been improved even more.

While these tools are available to OS/400 shops, Bytware has made them easier to use. An update to StandGuardAV will use all of these capabilities–the Check Object Integrity command and digital signatures on objects–to help users detect patched programs, without having to get their hands dirty with APIs or CL programs. The software will allow users to schedule periodic and automatic scans of their system, will provide a management GUI, and will also generate reports.

Grant estimates that three out of five ISVs have patched programs. When StandGuardAV users check for patched programs, they’ll probably find about a dozen of them, he says. Bytware recommends that users follow IBM’s recommendations when they find a patched program, which includes contacting the ISV and seeing if they have a non-patched version of the software. If they don’t, the vendor could work with IBM to use new APIs to provide the needed functionality, or they might choose to just leave the patched program alone.

THE SARBANES-OXLEY CONNECTION

As companies prepare for Sarbanes-Oxley Act audits later this year, the new patched program capability of StandGuardAV should become even more useful. For example, when a user signs on as QSECOFR to install a third-party product, you really don’t have any idea of the changes that the product might have made to the system, Grant says. “Sarbanes-Oxley requires that you document, or are aware of, changes that are made to the system,” he says. “With Sarbanes-Oxley, you need to know what’s going on.”

Software vendors can help prevent this threat to OS/400 security by not using patched programs, or at least by telling users they are, Botz says. “Vendors, if you’re doing this, it doesn’t mean you’re a bad guy, but you had better be up front about that,” he says. “ISVs should tell their customers up front, ‘Look, we do this; this is why our install works this way,’ rather than doing this to the customer without telling them, especially in this age of Sarbanes-Oxley.”

ISVs can also help by using digital signatures to validate the integrity of their objects, the capability IBM introduced with OS/400 V5R1. Up to this point, few, if any, vendors are using this capability, which can help to identify patched programs. “We’d really like to see ISVs taking advantage of that,” Botz says. “If it’s automated, and customers were using it, we’d all be just a little safer.”

A 30-day trial copy of StandGuardAV is shipped on every new machine and license for OS/400 V5R3 as part of a deal Bytware landed with IBM earlier this year. License fees for StandGuardAV ranged in price from $1,200 to $7,000 (depending on the processor tier) per OS/400 logical partition. For more information, contact the Reno, Nevada, vendor at www.bytware.com.